Document
advertisement
THE PERSONAL DATA PROTECTION ACT 2010: ISSUES & IMPLICATIONS FIDE Forum – Breakfast Talk 11 April 2013 Adlin Abdul Majid Content • Introduction • The 7 Principles • Compliance 2 Prevent abuse of personal data Prevent direct marketing Why is data protection law important? Ensure that data is kept securely Ensure that data is accurate 3 Joining the global privacy & data protection community 4 Introduction PERSONAL DATA PROTECTION ACT 2010 • Applies to any person who: • Processes • Written Oral Has control /over or authorises processing of personal data in respect of commercial transactions • Application Applies if: • Person is established in Malaysia & personal data is processed, whether or not in context of that establishment, by that person or any other person employed or engaged by that establishment • Person not established in Malaysia, but uses equipment in Malaysia to process personal data (otherwise than for purpose of transit in Malaysia) 5 Introduction PERSONAL DATA PROTECTION ACT 2010 • NOT applicable • Federal & State Governments Personal data processed outside Malaysia, unless intended / Oral in Malaysia to beWritten further processed 6 Introduction data subject Individual who is subject of personal data data user • Person who (alone or jointly or in common with other persons) processes personal data OR has control over OR authorises processing of personal data • Does not include data processor Written / Oral data processor • Person (other than data user’s employee) who processes personal data solely on behalf of data user • Does not process for own purpose 7 Introduction personal data Any information in respect of commercial transactions: • • that relates directly or indirectly to a data subject who is identified or identifiable from that information or from that & other information in the possession of a data user • includes any sensitive personal data & expression of opinion about the data subject May be in any form, so long as a data subject can be “identified” / “identifiable” (eg. name, NRIC no, phone no, photograph, e-mail address, fingerprint, DNA) 8 Introduction sensitive personal data • • Any personal data consisting of information as to: • the physical or mental health or condition of a data subject; • his political opinions; • his religious beliefs or other beliefs of a similar nature; • the commission or alleged commission by him of any offence; or • any other personal data determined by the Minister Can only be processed under specific circumstances set out in PDPA (including explicit consent by data subject) 9 Introduction Disclosure Alignment, combination, correction, erasure, destruction Organisation, adaptation, alteration PROCESSING Collecting Storing Holding Recording 10 Introduction commercial transactions • Any transaction of a commercial nature, whether contractual or not • Includes matters relating to: • • Supply or exchange of goods or services; • Agency; • Investments; • Financing; • Banking; & • Insurance Does not include a credit reporting business 11 Introduction commercial transactions The Personal Information Protection & Electronic Documents Act (PIPEDA) Ferenczy v MCI Medical Clinics • Collection of personal data by a private investigator to be used in legal proceeding is not a commercial transaction • The transaction itself is not conclusive, but rather the intention in using the personal data 12 Introduction commercial transactions Case Facts Commercial Transaction? PIPEDA Case Summary #342 Collection of personal data of tenants by landlords Yes PIPEDA Case Summary #309 Collection of information of a child in a daycare organisation Yes PIPEDA Case Summary #345 Collection of information by a private school No, look at the core activity of the school’s services Rodgers v. Calvert, 2004 ON SC (CanLII) Collection of personal information in a membership list, which charged membership fees No, charging a fee for membership does not mean it is for a commercial transaction PIPEDA Case Summary #2009-008 Collection of personal information by a social networking site Yes, the personal data is used for the success of the website. 13 Content • Introduction • The 7 Principles • Compliance 14 Principles of data protection For data to be processed lawfully in Malaysia, data user shall comply with following principles: 1. General Principle 2. Notice & Choice Principle 3. Disclosure Principle 4. Security Principle 5. Retention Principle 6. Data Integrity Principle 7. Access Principle 15 Principles of data protection Data Subject * General Principle Written / Oral *Access Principle * Notice & Choice Principle Data User Data Processor/ 3rd Party * Security Principle * Retention Principle * Integrity Principle * Disclosure Principle 16 Principles of data protection Data Subject * General Principle • Data user shall not process a personal data about a data * Notice & Written /given Oral his consent to *Accesshas Principle subject UNLESS the data subject Choice Principle the processing of the personal data • Personal data shall not be processed UNLESS: • Data User directly related to activity of data For lawful purpose Data Processor/ user * Security Principle • * Retention Principle Necessary for or directly related to purpose • * Integrity Principle 3rd Party * Disclosure Adequate but not excessive in relation to purpose Principle 17 What do you need consent for? Non-sensitive personal data Sensitive personal data (explicit consent) Written / Oral Consent? Disclosure of personal data to third parties Transfer of personal data overseas 18 Exemptions to consent No Exemption Example (a) For the performance of a contract to which the data subject is a party Employment contracts (b) For the taking of steps at the request of the data subject with a view to entering into a contract Before the sale & purchase of a car, the information requested by the salesman in order to execute the contract (c) For compliance with any legal obligation to which the data user is the subject, other than an obligation imposed by a contract When an organisation is under a duty pursuant to eg. tax laws, to provide information of its employees to authorities (d) In order to protect the vital interests of the data subject In a situation where a person is unconscious & needs medical treatment to save his life (e) For the administration of justice For the enforcement of a court order (f) For the exercise of any functions conferred on any person by or under any law If an organisation is tasked to perform a service by a law 19 Sensitive personal data may only be processed if… Explicit consent given by data subject Written / Oral Processing is necessary Personal data has been made public 20 Principles of data protection • Data Subject Data user shall provide a written notice to the data subject. To include: • * General Principle That personal data of the data subject is being processed by or on behalf of the data user •/ Oral Description of the personal data Written *Access Principle * Notice & Choice Principle Data User • Purpose it is collected & further processed • Class of 3rd parties to whom data user discloses / may disclose the Data Processor/ personal data * Security Principle * Retention Principle • 3rd Party Whether it is obligatory for the data * Disclosure subject to provide the personal data * Integrity Principle Principle • Must be given as soon as practicable • In national language & English 21 Channels of serving notice 22 • Application forms • Terms & conditions • RFQs / RFPs • Agreements • Letters of employment • Salary slips • E-mails Principles of data protection Data Subject Personal data shall Principle not without the consent of * General the data subject, be disclosed: • For any purpose other than the purpose * Notice & disclosed at the time ofWritten collection / or Oral *Access Principle Choice Principle related purpose; or • To any party other than 3rd parties of the class in notice Data User Data Processor/ 3rd Party * Security Principle * Retention Principle * Integrity Principle * Disclosure Principle 23 Disclosure to third parties Malaysia Related companies / affiliates / consultants Personal data Notification of disclosure to 3rd parties Authorities Data processors (1) Notification of disclosure to 3rd parties (2) Data processors’ compliance with PDPA 24 Disclosure to third parties Malaysia Related companies / affiliates / consultants Personal data Overseas Notification of disclosure to 3rd parties Authorities Data processors (1) Notification of disclosure to 3rd parties (2) Data processors’ compliance with PDPA Notification of transfer out of Malaysia 25 Principles of data protection • A data user to practical steps to protect the personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, Subject alteration orData destruction • If processing is carried out by a data processor on behalf of the data user, the data user shall ensure that the data processor: * General Principle provides sufficient guarantees in respect of the technical & * •Notice & Written / Oral *Access Principle organisational security measures governing the processing Choice Principle • takes reasonable steps to ensure compliance with those measures Data User Data Processor/ 3rd Party * Security Principle * Retention Principle * Integrity Principle * Disclosure Principle 26 What is “adequate”? Written / Oral 27 Principles of data protection Data Subject * General Principle • The personal data processed for any purpose shall not be kept longer than is necessary for the fulfillment of that purpose * Notice & Written / Oral *Access Principle • Principle No time limit but if it is not required for its initial purpose, it must be Choice destroyed Data User Data Processor/ 3rd Party * Security Principle * Retention Principle * Integrity Principle * Disclosure Principle 28 Principles of data protection Data Subject General Principle A data user* shall take reasonable steps to ensure that the personal data is accurate, complete, not misleading & kept up-to-date by having regard to the purpose, including any directly related purpose, for which the personal data was collected & further processed * Notice & Written / Oral *Access Principle Choice Principle Data User Data Processor/ 3rd Party * Security Principle * Retention Principle * Integrity Principle * Disclosure Principle 29 Principles of data protection Data Subject * General Principle * Notice & Choice Principle Written / Oral *Access Principle • A data subject shall be given access to his personal data held by a data Data User user • Datadata Processor/ * Security Able to correct thatPrinciple personal data where the personal is inaccurate, * Retention Principle 3rd Party incomplete, misleading or not up-to-date • * Disclosure EXCEPT where compliance with a request to such access or correction is Principle refused under PDPA * Integrity Principle 30 Other key provisions Rights of data subject • Right to access personal data • Right to correct personal data • Right to withdraw consent • Right to prevent processing likely to cause damage or distress • Right to prevent processing for purpose of direct marketing 31 Other key provisions Data user registration Data user forum 32 Content • Introduction • The 7 Principles • Compliance 33 34 35 Why is compliance important? Written / Oral 36 Why is compliance important? Offence Liability Contravention of the personal data protection principles RM300,000 or imprisonment of 2 years or both Failure to register as data user for specified class of data users RM500,000 or imprisonment of 3 years or both Data users continue to process personal data after Written / Oral the registration is revoked RM500,000 or imprisonment of 3 years or both Processing of sensitive personal data in contravention with s40 RM200,000 or imprisonment of 2 years or both Failure to comply with the Commissioner's requirements to cease processing of personal data likely to cause damage or distress RM200,000 or imprisonment of 2 years or both Unlawful collection or disclosure of personal data: RM500,000 or imprisonment 3 years or to both RM500,000 or imprisonment of 3 years or both Transfer of personal data overseas RM300,000 or imprisonment of 2 years or both 37 Compliance Top-down approach Written / Oral Analysis of status quo & existing gaps Solutions should address gaps by complying with legal requirements in an effective manner 38 Compliance Prevent • Risk assessment & regular reassessment • Policies • Guidelines • Training Detect • Monitoring • Compliance Audit • Concern / incident reporting Respond • Internal Investigations • Dealings with authorities • Employment related consequences 39 Compliance Privacy Written / Oral Impact Compliance Assessment 40 Compliance Privacy Impact Assessment LOOK OUT FOR: Description of personal data How personal data is collected Was consent sought? How? Purpose of processing How personal data is kept – security? Procedures to ensure accuracy? Access? Retention period? Is personal data destroyed? Disclosure / transfer 41 Compliance Compliance Types of Documents Description Type A: Policies & Procedures 1. Internal Data Protection Policy 2. External Data Protection Policy Type B: Agreements 1. Guide to amend agreements 2. Amended agreements 3. Supplementary agreement Type C: Notices 1. Recruitment 2. Employment 3. Customers 4. Vendors 42 Compliance: Policies General Written / Oral IT & Security Access Retention 43 Compliance: Documents Compliance Application forms Terms & conditions Contracts of employment Employee handbooks Service agreements Notices 44 Remember: Transitional provision Where a data user has collected personal data from the data subject or any third party before the date of coming into operation of PDPA, he shall comply with the provisions of PDPA within 3 months from the date of coming into operation of PDPA 45 Thank you Adlin Abdul Majid (aam@lh-ag.com) Lyssa Loh (lll@lh-ag.com)
